What's New in Device Configuration, Deployment, and Management

Platform features and tools make it easy to configure, deploy and manage Apple devices in organizations of all sizes. Discover new and updated configuration capabilities for each platform, updated app deployment techniques and tool changes that make low-bandwidth updates more accessible. Learn how educational institutions can use the advancements in Apple School Manager and Classroom to make configuring student devices even easier.

Related Videos

WWDC 2017

Good afternoon.
Welcome to Session 304, What's
New in Device Management.
I'm Todd Fernandez and I'm very
pleased to be your host on this
tour through new developments
and how Apple devices can be
managed in schools and
businesses around the world.
I just love this photo.
As Tim said on Monday, iPad has
changed the way we teach, learn
and create, which is why we work
so hard to make it easy to bring
Apple devices into schools so
that students like these girls
can do amazing things with their
iPads or Macs as the case may be
and get excited about learning
and creating.

We also want to unlock new
solutions in enterprise to help
employees be more productive and
enable businesses to create new
ways of serving their customers
by providing experiences in
their hotels, restaurants and
hospitals that were not
previously possible.

Last year, we introduced three
huge new device management
features to support iPad
deployments in schools.
Classroom, an assistant which
helps teachers focus on teaching
rather than managing student
devices.
Shared iPad, a great way to
provide a personalized
experience on an iPad shared by
many students each day in the
classroom.
And last but not least, Apple
School Manager, one place for
school IT administrators to
create and manage all of their
schools' accounts, devices and
content.
Just like 2016, 2017 has already
been another big year for device
management as our releases
earlier this spring continued to
address the most important needs
in education and enterprise.
Introducing many more
capabilities to management via
MDM and configuration profiles.
Connecting Apple TV fully into
device management and conversely
removing the management
requirement for classroom by
empowering teachers to create
their own classes bringing
Classroom to a much wider
audience, including enabling
schools with bring your own
device programs around the
world, good day Australia, can
take advantage of Classroom.
But of course, we didn't stop
there.

Today we'll announce a number of
additional capabilities in each
of these areas to enable people
to make use of Apple devices in
new and exciting ways.
I don't want to spoil the
surprises so we'll cover each as
it comes up during today's
session.

As has become tradition, today's
session will follow deployment
lifecycle, beginning with
enrollment, getting your devices
ready to be managed.
Continuing with distribution,
loading those devices with
compelling apps and content.
Management, performing the
ongoing day-to-day management of
all of your devices.
And finally, I'll give a brief
update on Apple's tools for both
administrators and our MDM
solution partners which take
advantage of all of these new
features.
In a break from tradition, I
will mostly serve as an emcee
this year and leave the
presentation to the engineers
who have designed, built and
tested all of the new
capabilities we will cover
today.
We have so much to share I've
brought along a supporting cast
larger than the Game of Thrones,
well okay seven engineers, to
help me get through it all.

But I promise that we will
conclude in less time than it
takes the Oscars.

So, without further ado, I'd
like to ask Bob Whiteman to come
on stage and get us started by
telling you all about how we've
improved enrollment this year.
Bob.

Game of Thrones, will we make
it through the season, who
knows.
I'm Bob Whiteman, one of the
Apple engineers responsible for
the new device management
features you'll see today.
In this section, you'll find out
about major additions to Apple
TV management, new features of
the Device Enrollment Program,
security enhancements of the MDM
protocol, best practices for MDM
administrators and MDM server
developers, and a major update
to Apple School Manager.
First of Apple TV.

I'm happy to say that Apple TV
can now participate in the
Device Enrollment Program.

Apple TV devices have all the
same features as iOS devices,
zero touch configuration,
streamline setup, and wireless
supervision.

You plug in power, an ethernet
and the device is automatically
configured, you don't even need
the remote.
There's also a change to the
supervision of Apple TVs,
previously all Apple TVs were
treated as supervised now they
are unsupervised by default.

If you don't want the elevated
privileges of supervision you
don't need to claim them.

We've expanded the Device
Enrollment Program with a new
way to introduce devices into
the program.
Previously, DEP only supported
devices that were purchased from
a supported sales channel.
Now you can also enroll your own
devices in DEP regardless of how
you purchased them.
This will particularly help
schools that received donated
devices.
Now this new enrollment method
differs in two ways.
The first is that the device is
always supervised and MDM
management is always mandatory.
The second is a 30-day
provisional period, when you add
a device to DEP it erases the
device.
Then the provisional period
starts when the device is
subsequently activated.
During the provisional period
the lock screen and setup
assistant indicates the device
is provisionally enrolled and
the user can remove the device
from DEP and set up assistant or
settings, which also erases the
device.
But after the 30 days expire,
the user can no longer do so.

Both during and after the
provisional period all DEP
features are available,
including streamline setup and
mandatory MDM enrollment.
Now let's switch over to the
other DEP enrollment method.
When you add a device to DEP
while purchasing the device from
an approved sales channel, the
device does not need to be
supervised and MDM management
can be optional, which lets the
user opt out of MDM management.
But only a vanishingly small
number of devices are in this
state and it was always kind of
an odd fit for DEP so we're
deprecating these.
In the future, all DEP enrolled
devices will need to be
supervised and MDM enrollment
will be mandatory.
And here's a little
housekeeping, with each new
release of iOS there are new
panes in the setup assistant.

DEP configuration allows you to
skip these panes, so these are
the new skip keys.

I won't go over each one of
these, but let me mention that
the keyboard user's pane only
appears on devices which are
non-US English regions, such as
China and Japan.

Moving on to some security
enhancements.
In iOS 10.3 we introduced
partial trust for manually
installed certificates and
certificate profiles.

When a certificate has partial
trust, it is trusted for all
purposes except SSL.

When a certificate is installed
noninteractively via MDM or
Configurator the certificate is
given full trust, but if it's
installed manually the
certificate gets partial trust
at first.
The user can go to Settings,
About, Certificate Trust
Settings and enable Full Trust
which gives an appropriate
additional warning.

Now this is a speedbump that
gets users to reconsider whether
they should trust whatever
certificate they have just been
asked to trust.
Often MDM enrollments require
trusting the MDM server
certificate.
To avoid complicating MDM
onboarding we put a small gap in
the speedbump.
If the certificate is manually
installed by a profile that also
contains an MDM payload that
certificate is given full trust.

So, if your MDM deployment
requires trust, make sure you're
distributing the certificate in
the same profile as the MDM
enrollment payload to make sure
that you're driving your users
through that gap in the
speedbump.
In 2018, MDM will require your
server to support App Transport
Security or ATS.
This is a set of security
requirements for secure
communication introduced
previously.

ATS requires specific protocol
details and cryptographic
algorithms to harden secure
communications.
For now, MDM is exempted from
ATS, but this exemption will be
ending in 2018.
If your MDM server does not
currently meet ATS requirements
in the future the MDM client
will refuse to communicate with
it.

But regardless of that, the time
to update your MDM server is
now.

After all, these changes are a
good idea for security, whether
or not the device requires them.

This involves negotiating the
cryptographic algorithms used
for encryption and hashing.

We've dropped support for the
outdated DES algorithm.
And make sure you SCEP server
advertises its capabilities
properly in the CA Caps field.
A couple of MDM servers out
there didn't and that forced the
MDM client to fall back to the
lowest quality algorithm triple
DES even though the SCEP servers
in question supported better
algorithms.

And on that note, add support
for the best algorithms which
are currently AES for bulk
encryption and SHA-512 for
hashing.
On the macOS side, we've
hardened the server certificate
evaluation for MDM communication
in High Sierra.

This involves three new keys in
the MDM enrollment payload.
The first two keys specify white
lists of certificates to use
when evaluating server trust.
One set for the server URL and
the other for the checking URL.
The third key specifies hard or
soft revocation checking on
those pinned certificates.
Hard revocation checking means
that the trust evaluation fails
if the device cannot get a
positive response from the
revocation server for any
reason.
Now these are generally good
security features for securing
communications, but if you're
only administrating Macs this
can be particularly useful it
can save you the cost and effort
of getting a certificate for a
public CA.

Just remember to be particularly
careful when rolling out these
features, especially pinning the
server URL certificate.
A misconfiguration could cut off
your Macs from communicating
with your MDM server which makes
it very difficult to correct the
misconfiguration.

I'd like to share some best
practices for administrators.
For those administering Shared
iPad, please enable diagnostic
submission using the diagnostic
submission command.

This lets us collect the raw
data that we need in order to
help us improve the product for
everyone.
Also for Shared iPad there's an
interaction between the user
quota setting and the APFS file
system.
A user quota controls two
different things.
It sets a maximum number of
users that can have data stored
on the device and it ensures
that individual users aren't
consuming too much file system
space which would crowd out
other users.
If you already have Shared iPad
devices with the user quota that
second control of storage space
is effectively disabled by the
upgrade that APFS introduced in
iOS 10.3.
There's a one-time
administration task to restore
the storage quote.
Upgrade to the latest iOS and
wipe all of the existing user
counts on the iPad.
You can either erase the iPad
and set it up again or use the
delete user command.
And don't forget to shut down
the iPad after you're done so
that it's ready to go when the
users first get it.

If you're using startup profiles
on macOS you've been putting the
profiles in a special location
in the file system this is now
deprecated.
Instead, there's a new option to
the profiles command line tool
that lets you specify startup
profiles, the details are in the
main page for the profiles
command.
And now some best practices for
those of you that are
implementing MDM servers.
I just mentioned how useful the
diagnostic submission command
is, so please make sure that
your server supports it.

In 2018, APNs tokens will likely
increase in size, verify that
your server can handle APNs
tokens up to 100 bytes in size.
Don't just hardcode the size of
APNs tokens that you've been
receiving from devices.
When the MDM server generates
its enrollment profile limit it
to just the MDM payload and
payloads necessary to ensure
that the enrollment succeeds,
such as Wi-Fi payload or
certificate payload.
Don't use this profile to
configure other things like
restrictions or accounts,
instead push those payloads
after the enrollment completes.
And last, I'd like to challenge
MDM solution providers to make
the life of an administrator
easier.
Device management provides a
large number of individual
controls and we're adding more
with each new release.

This makes device management
powerful, but complex.
Administrators may not know all
of the details of how these
controls interact and that
raises the risk of a
misconfiguration.
For instance, an administrator
may restrict the App Store to
prevent unauthorized apps, but
not realize that they should
also restrict pairings so that
apps can't be installed with
Configurator or iTunes.
So, do what you can in both
documentation and software to
meet administrator's needs, not
just allow them to set settings.

If you're troubleshooting device
management problems I have some
tips for that.

Your best source of information
is the system logs.
You can view them with the macOS
apps Console or Apple
Configurator 2.
On iOS, filter the logs by
process name to hone in on the
most useful messages.
Profiling is responsible for
installation and removal of
profiles and restrictions and
other things.

MDM is responsible for
communicating with the MDM
server and tracking management
of apps, systems and accounts.
If you have a device that's not
communicating with the MDM
server you want to examine mdmd.
DMD relays management commands
to other parts of the operating
system.
And appstored installs and
removes apps and if those apps
come from iTunes itunesstored is
involved as well.
So, when you're looking through
the logs your best bet is to
look for log messages of error
type first and if nothing jumps
out at you look at the warning
level as well.
On macOS, don't filter the logs
by process instead, filter the
logs by setting the subsystem to
com.apple.ManagedClient which
covers all appropriate
processes.
But for both operating systems
you may want to install a debug
logging profile to get more
detailed information.

Just remember the caveats
involved when using debug
logging.

For instance, don't habitually
push the logging profiles to all
the devices in your population.

If you have any troubleshooting
questions make sure to come to
the lab sessions.

And now I'm going to turn it
over to my colleagues, Can Aran
and Juan [inaudible] to demo
some of these.
Can.
Hello, I'm Can Aran, iOS
engineer in the device
management team and I must say
I'm very excited to be here.
I will be using Configurator,
Apple Configurator 2 to enroll
this device and let's get
started with that.
I'll choose the device,
right-click on it and hit
Prepare.
In the new version of
Configurator, we have this
option to add the device to
Device Enrollment Program, so
we'll check that and hit Next.
Just a quick note, I had already
logged in to my DP Organization
Configurator prompted me for
that and saved my credentials.
Here we can specify our MDM
server, we can enter our
organization information, and we
can skip these steps in Setup
Assistant and we will need to
provide a Wi-Fi profile for the
device to be able to communicate
with the server.
And we may enter our credentials
for the MDM server, but we do
not need to for now.
So, once I hit Prepare here
device will get added to DEP and
after that it will erase itself
which will take some time to
land on Setup Assistant.

So, for the sake of our time
we'll use another device to go
through Setup Assistant.

This device is already added to
DEP beforehand.
So, let's hit Prepare and switch
to the other device.
All right.
So, we have a new pane for
Device Enrollment now it's
called Remote Management, can
see the details about what
Remote Management does here and
also, we can remove the device
from DEP by just clicking on
Leave Remote Management button.
This button will appear in the
first 30 days of enrollments as
my colleague Bob said.
Once we hit that it will remove
the device from DEP.

Also, this button is there
because we would like to protect
our users, we don't want our
users' devices to get added to
DEP without their consent or
accidentally.

So, let's apply the
configuration by hitting Next
and let's enter our secret
credentials for the MDM server.
And let's read the terms and
conditions as I know every one
of you do.
And that's it device has the
configuration that has been
specified by the MDM server and
it's been added to DEP just as
if it was purchased from a
supported sales channel.
So regardless of how the device
is purchased it can be added to
DEP now.
Now that I have enrolled my
device I would like to invite my
colleague Juan [inaudible] to
stage to show you how this
connects to Apple School Manager
world.
Thank you.
Thank you Can.
Hi, my name is Juan [inaudible]
and I'm the UI Manager for Apple
School.
And today I'm really proud to
show you the latest version that
came out of preview on May 17.
But for those that are not
familiar with Apple School what
is Apple School?
Apple School is your one
destination for your institution
to manage your devices,
accounts, and content.
So, these are some of the new
features that came out in the
latest release.
We have a new streamlined user
interface, the ability to create
up to five administrators and
support for PowerSchool.

But nothing better than a demo
to show you our new streamlined
user interface.

Today I'm going to be an
administrator at my organization
and I'm going to start talking
to you guys about managing
devices.
Can just enrolled two devices to
the DEP program and you can see
the two devices up here on
devices added by Apple
Configurator 2.
And we just realized that I
should have assigned one of
those devices to this MDM server
in a different location.
So, let's do that.

I'm going to search for my
device, here is the last iPad
that he added to the DEP
program.
And I'm just going to switch it
to Abraham Lincoln Elementary,
click Done and now I'm ready to
wipe that device and the next
time it boots up it's ready to
start to be managed by his new
MDM server.
Now let's talk about managing
your accounts.
So, imagine the following
scenario, it's the beginning of
the school year in at Abraham
Lincoln Elementary and we have a
new group of students, of
first-graders.
So, we need to create new
credentials for these students.

So, let's do that.
I'm going to navigate to
locations, here's my elementary
school, now I want to see the
accounts related to this school.
Notice that my filtering UI is
now visible.
Now I just need to add a couple
filters, I want my students and
my first-graders.
As you can tell, I've been
changing -- the search results
have changed and there's this
first row that allows me to
select all the students in this
filter.
On your right, you can see
several different bulk actions
that I can execute as an
administrator.
Now let's create a sign-in sheet
for these students.
You might be wondering why a
sign-in sheet, well it turns out
that most first-graders don't
have a phone number or an e-mail
address so we need this
alternative method to distribute
the credentials.
So, let's do that.

All right, I select Create, a
create a downloadable PDF and
CSV and this starts a process
that we call Activity.
An Activity it's a way to track
background processes or
long-running jobs.
Now I just jump to the Activity
path and you can see here the
creation of the sign-in sheet.
As you can tell, I've been very
busy today, it's the first day
of the school so I had to delete
some accounts, create sign-I
sheets for other students,
change the password policy of
some accounts, add new roles,
and also I had some problems
with some of the operations.
This also allows us to be able
to be able to notice any
problems that we have to our
process of administrating.
Creating our new sign-in sheets
is almost over.
So, I'm just going to wait for a
second.

Now I'm ready to download that
sign-in sheet.
So, I wanted it in an 8-up PDF
format because I want to save
some paper.
I download it and here is the
sign-in sheet for my new
students.
So that was easy.

Now let's talk about managing
your content.
Currently, I can navigate to
Apps and Books and here I'm
presented to a link that will
take me to the Volume Purchase
Program.
In the Volume Purchase Program
website, you will be able to
purchase applications and iBooks
in bulk.
I'm really happy to announce
today that we are working on
integrating the Volume Purchase
Program into Apple School and
it's coming before the end of
the year.
Now let's look what it looks
like.
Here's a screenshot that is
showing you the inventory of
applications of all devices that
you have purchased for the Apple
School district.

You see the ones that are
available, all the ones that are
in use.

And then in this next screen you
are seeing that I'm trying to
purchase an iBook, 50 licenses
of it and assigning them to
Covington Charter School.
Now let's have Todd talk to you
more about the details of this
new distribution model.
Thank you very much Juan.
As some of you may have noticed,
we've now included the
enrollment section and moved
into distribution now that we're
talking about volume purchase.

However, I wanted to reiterate
that the new Leave Remote
Management button at the bottom
of the new Remote Management
pane in Setup Assistant only
appears during that 30-day
provisional period after adding
devices to the Device Enrollment
Program using the new feature
that Can demoed.
Devices that have been added by
purchasing directly from Apple
or through a reseller which
supports the Device Enrollment
Program there's no change and
that button will not appear.
So, we have a short agenda for
distribution, but it's a really
big topic upfront Volume
Purchase Program fully
integrated into Apple School
Manager.
And I will go into a bit more
detail and cover a few
additional features and a brief
update about changes to
installing apps and managing
them on tvOS.
So, Juan has already shown you
the beautiful new updated UI in
Apple School Manager which went
live last month, as well as a
sneak peek into how Volume
Purchase Program will look once
it's integrated into it.
We are also making it much
easier to manage multiple
locations, tokens, and licenses
within an organization,
including supporting
transferring licenses between
locations so that your content
managers no longer will need to
share credentials.
All of this will be available
very soon as Juan mentioned, but
there is a bit of work for MDM
vendors to do to support license
transfer in particular, which
again I'll cover today.
So, for a long time we've heard
some customer feedback around
the difficulty in managing
multiple VPP accounts so we
wanted to make it much easier
for schools to organize their
purchases and manage them in an
intuitive way that matches their
organizational structure.
So, with these updates purchases
are now associated with a
location rather than the
personal inventory of individual
content managers.
Multiple content managers can
purchase apps and books for a
single location and all licenses
for that location will be
managed with a single token.

So, there's no longer a need for
a token per content manager.
Each content manager through
that token can then manage all
licenses that are associated
with that location, meaning that
if a content manager leaves any
other content manager can
continue to manage all of those
licenses.
Just illustrate this with a
simple animation.

Now I have two different content
managers each of them buying
some apps and buying some books.

There's a token that either one
of those managers can download
from the Volume Purchase Program
and upload to their MDM server
to allow it to manage those
licenses and assign them to
users and devices.
Another bit of feedback we've
gotten is the request to be able
to transfer licenses that were
purchased in one area to a
different area.

And so, we have now added
support for transferring
licenses between locations which
are now tracked with a single
token.
Apple School Manager of course
will show the accurate number of
available licenses at each
location as these transfers take
place.
Any licenses which are currently
available and not assigned can
be transferred at any time.
But if they're licenses that are
already assigned to a user or
device those can't be
transferred because of course,
those users and devices are
associated with that location as
well and it would disrupt your
deployment.

So, if you do want to actually
transfer those licenses you can
revoke them, the current
assignment, making them
available for transfer.
And simple animation we've got
two locations each represented
with its token to manage their
apps and books and we can
transfer apps from one location
to the other.
And each location continues to
be managing those licenses, so
if location one is at one MDM
server, location two another MDM
server they can continue to
manage the appropriate app and
book licenses.

Another sneak peek, this is what
it will look like once it's
integrated in Apple School
Manager showing you for each app
that you've purchased the
licenses for each location and
making it very easy to then
select the location and transfer
some of those licenses to
another.
So, now I'd like to highlight
what we need and our MDM
partners to do to support
license transfer and these new
features.

So, the first is now that a
location and token have a
one-to-one relationship as
tokens expire or otherwise
become invalid it's going to be
important to make it easy for
admins to identify which token
needs renewal by making clear
which location this token is
for.
And our API calls that you're
already using to get information
about the Volume Purchase
Program have now been enhanced
to provide that information to
you so that you can update your
UI appropriately.
Now that multiple content
managers can download the same
token for a location you need to
also be prepared for a content
manager to inadvertently upload
a duplicate token and handle
that appropriately so that you
don't duplicate the license
count.
Similarly, now licenses can be
transferred outside of your MDM
server's knowledge in Apple
School Manager.

So, you need to be prepared to
refresh your license counts when
you update your UI.

Finally, when is this all
coming?
We're working hard on preparing
the documentation update, as
well as testing support which
will be available soon and
releasing later this summer so
that you can help us and our
joint customers in schools be
ready for back-to-school
deployment.
That concludes our section on
Volume Purchase Program and now
I'd like to do a couple of
updates on tvOS.

It's now possible to install
enterprise apps on tvOS, as well
as manage them using Managed App
Configuration.
A great feature that we've had
in iOS for a number of years is
now available in tvOS as well to
configure your apps after you
deploy them.

And that brings us to the end of
our distribution section, so I'd
like to ask Pradhap to come up
on stage and take you through
the management section.
Pradhap.

Thank you Todd.
Hello everyone, good afternoon.

I'm very excited to be here to
walk you through all the great
management features that we
added since we met the last
year.
First, let's get started with
iOS.
Preparing a large number of iOS
devices, especially with a lot
of apps and books using a Wi-Fi
network has always been a
challenge.

It makes a Wi-Fi network
unusable and more often,
administrators had to set up a
dedicated Wi-Fi network just for
preparing devices.
To solve this, we added a new
option to all the MDM commands
using which the administrator
can specify that the device has
to be connected to a wired
network like Internet sharing or
USB or an ethernet connection to
perform a command.
This combined with content
cashing on macOS is going to
significantly improve the setup
experience for iOS devices.
MDM already has the ability to
install software updates on DEP
devices without a passcode.
We improved that and added
support for passcode lock
devices and supervised non-DEP
devices as well.

We realize that in most cases
when a device with an app or
[inaudible] is erased the data
plan shouldn't be erased as
well, so we added an option to
the erase device command to
specify the data plan
preference.
Before I move on I would like to
point out that the features that
are marked with the new badge
are new in the upcoming iOS
releases that we announced in
[inaudible] this week and all
the other features [inaudible]
earlier this year.
And also, if you see a new badge
on the upper right corner of the
slide everything on that slide
is new.
Next, let's talk about Lost and
Found.
All the users love our devices,
but sometimes they go missing.

MDM already supports putting a
device in loss mode and also
query the location of the device
when the device is in lost mode.
We also added support to play a
sound when the device is in lost
mode.
And we updated the device
location query to include all
the location attributes that you
would expect from a location
APA.

Like devices apps go missing as
well, so we added a new
restriction to prevent users
from deleting system apps
accidentally on their device.
This is especially great for
shard use devices where the App
Store may be disabled.
We continuously add new features
to help enterprises keep their
data safe.
Starting with iOS 10.3
administrators can restrict the
list of Wi-Fi networks that the
device can join to just the
Wi-Fi networks that are
configured by MDM or our
configuration profiles.

Thank you.
And starting with iOS 11 the
Wi-Fi restriction exempts
carrier profiles.
We recommend that you push the
Wi-Fi restriction together or
after the Wi-Fi payload,
otherwise you run the risk of
devices losing connectivity to
MDM server.
We also added a new restriction
to disable users from creating
their own VPN configurations.
MDM already supports
configuring, signing and
encryption identities for
exchange and mail, but there was
only one global switch to turn
both signing and encryption on
or off.
We improved that and added a new
key so that you can control
signing and encryption
independently.

We added three new restrictions
to Classroom to make the
expedience of unmanaged classes
on supervised devices on par
with managed classes.
The first new restrictions
enables an instructor to observe
a student's screen and perform
an app or a device log without
prompting the students just like
managed classes.
And the last one causes the
students to automatically join
classes without prompting them
every time.

With iOS 11 we made a lot of
improvements to the AirPrint
payload.

The AirPrint payload now
supports configuring custom port
and also specify whether TLS is
required on a per app and
destination basis.
In addition to the improvements
to the payload we also added
four new restrictions to
configure global AirPrint
options.
The first restriction can be
used to disable iBeacon
discovery of AirPrint printers.
And the second one can be used
to disable storage of AirPrint
credentials in Keychain.
You can also require TLS for all
AirPrint connections on a
device.
And finally, you can disable
AirPrint completely on a device
if you have to do so.
As you may have heard earlier
this week, iOS 11 supports a new
extension using which apps can
provide a DNS proxy and we added
a payload just to configure
that.
The new DNS proxy extension
payload can be used to configure
the bundle ID of the extension
that should be used as DNS proxy
and also provide any custom
configuration that the extension
might need.
The cellular payload now
supports configuring Internet
protocol versions for cellular
connections.

Like iOS we also added a lot of
new features to macOS to improve
the setup experience.

The new system migration payload
can be used to configure custom
migration paths for migration
from Windows to Mac.
We also added a new payload to
configure smart card options on
Mac.
This payload can be used to
restrict one smart card per
user, required trusted
connections for smart card and
also disable smart card usage on
Mac.
We improved the 802.1X payload
adding the ability to provide a
default configuration for ports
that doesn't have an explicit
configuration.

Starting with macOS High Sierra
administrators now have the
ability to delay the software
updates on a Mac for up to a
maximum of 90 days.
This is great for testing your
software on the latest updates
before users get their hands on
them.

We also updated the software
update query to include a date
until which a specific update
will be deferred.
Former passwords on macOS are
equivalent to activation lock on
iOS.
Starting with macOS High Sierra
the former passwords can be
completely managed using an MDM
server.
Using the new commands the
administrator can set a former
password, query the status of
the password change, and also
verify that the password on the
device is correct once the
password change is in effect.

Thank you.
I would like to note that a
reboot is required for the
password change to take effect.
We also brought over the user
management commands from iOS to
macOS.
macOS now supports querying the
list of local user accounts on
the Mac and deleting user
accounts.
macOS also supports unlocking a
locked-up user account on Mac.
Extensions are a great way to
add a lot of useful features on
Mac, but we also realize that
there is a need to manage this
in an enterprise environment.

So, the new extensions
management payload can be used
to configure whitelist and
blacklist of extensions that are
allowed to run on a Mac.
The payload also has the
flexibility to configure
blacklist and whitelist on a per
extension bind basis.

It can go even further and
disable specific extension
points or disable all extensions
on Mac if you have to do so.
Once the extensions are set up
as they need to be the new
active extensions query can be
used to query the list of
extensions that are in use on a
per user basis.
macOS already supports escrowing
encrypted personal recovery keys
to a custom server and starting
with macOS High Sierra we
followed that into MDM.

The new escrow payload can be
used to configure the private
key using which personal
recovery should be encrypted.
And we also updated the security
information query to retrieve
the personal recovery key using
an MDM server.
We also added a new restriction
to disable iCloud desktop and
documents.
We aggressively added a lot of
features to tvOS this last year.
We set ourselves a goal to
provide a great set of
expedience for Apple TVs without
ever touching your remote.
It is now possible to erase an
Apple TV using Apple
Configurator or MDM and enroll
the Apple TV using DEP and Auto
Advance like Bob talked about
earlier, specify the name of the
Apple TV, prevent the users from
changing the name on the TV,
configure allowed content
restrictions, such as media
ratings, specify the list of
apps that are available on the
TV, and also configure how the
apps are laid out on the Home
screen including folders.
Isn't that great?
Thank you.
Apple TVs are great for
conference rooms and classrooms.

So, we built a new management
feature to put Apple TV into a
mode that we call Conference
Room Display mode.
When in this mode Apple TV can
be configured to display a
custom message onscreen and the
only thing the users can do is
to [inaudible] the TV to share
their displays.
We also added a new AirPlay
Security payload using which
administrators can configure the
type of the security requirement
for AirPlay.

This can be one of three
options, one-time possible, a
passcode every time or even a
custom password which can be
configured using the payload.
We believe this combined with
AirPlay payload on iOS and macOS
gives the administrators the
ability to configure AirPlay
with the greatest security
possible and ease-of-use.
Apple TVs are also great for
kiosks and dashboards, so we
brought over the single app mode
from iOS to tvOS and as you
would expect, this payload can
be used to log a TV to a single
app.

To go along with this, we also
added two new restrictions, one
to disable users from pairing
the remote app on their iOS
devices with a TV and the next
one to disable AirPlay on a TV.

Next, let's talk about some of
the features that are shared
across all the platforms.

VPN IKEv2 and Wi-Fi payloads now
support configuring minimum and
maximum TLS versions.

The install application list is
now consistent on all three
platforms and accurately reports
whether an app is being
installed or updated.
We now support Restart on iOS,
tvOS and macOS and Shut down on
iOS and macOS.
We already have a great support
for test taking apps with
automatic assessment
configuration.

I'm happy to announce the
automatic assessment
configuration now includes five
new restrictions without you
having to make any changes.
Activity continuation, universal
clipboard, dictation and in the
upcoming release smart
punctuation, and classrooms
screen observation.
These are the set of
restrictions that existed even
before supervision was a thing.
And Todd has been warning you
for the past two years that
these are going to become
supervised only and I get to
tell you when.

Starting 2018 these restrictions
will become supervised only.
With that, please welcome my
colleagues, Graham and John on
stage to demo some of the
features that I've been talking
about.
Thank you.
Thank you very much Pradhap.
I'm really excited to be here
today to show you guys the
latest management features for
Apple TV.
In tvOS 10.2, we added a ton of
great new features for managing
Apple TVs and today with tvOS 11
we're expanding on that feature
set.
While our Apple TV is currently
booting so let's set the scene.

It's summer vacation and you've
just received your order of
Apple TVs and it's time to get
them configured for the upcoming
school year.
I've already set up a default
MDM server in Apple School
Manager so my devices have
already appeared in my MDM
server.
I've also gone ahead and
configured the enrollment
options that I'll want for
today's demo, including the auto
advance key and nonremovable
MDM.
I've also added the device to a
group that contains some of the
settings that we're going to use
today as well.
Those include a Home screen
layout payload, we've hidden
some of the default system
applications and installed some
enterprise apps.
So, it looks like we're still
booting up here so let's talk
about what's going on behind the
scenes.
Once the device reaches the
setup screen it will begin its
activation process if it's
connected to ethernet.

The device will check in with
the activation server and if
it's enrolled in the Device
Enrollment Program it will
download the cloud configuration
file and look for that auto
advance key.
If the auto advance key is found
the device will begin its setup
process and enroll in MDM.
So, it looks like we've just got
another couple of seconds here
before this reaches the screen.
So, I hope everyone's having a
fantastic conference so far,
woohoo.
So, we can see that our Home
screen layout payload has been
applied so we've got some of our
default apps they're in a
folder, most of the default
system applications have been
hidden, and we've got some
enterprise apps that have been
installed.
So, now that we're ready to go
let's take a look at the new
single app mode payload.
We'll go ahead and launch one of
our enterprise apps in the
single app mode.
For today's demo, we've got a
foreign currency exchange app
that shows us the exchange rate
for the US dollar in various
currencies around the world.

It looks like the Canadian
dollar is doing pretty great
today.

Yeah, Canada.
All right, but now let's say
that we're managing Apple TVs in
different countries around the
world, they'll likely want to
see that exchange rate in their
local currency.
So, let's go ahead and install a
managed app configuration and
see what happens.
Now you'll notice that we're in
Canadian dollars for our base
currency, pretty cool hey?
All right, next let's take a
look at the conference room
display mode payload.
So, perhaps this Apple TV is
being used in a conference room
where we're doing presentations
on a regular basis.

We can now remotely place the
Apple TV in conference room
display mode and as you can see,
we can add a custom message for
our users.
Hello WWDC 2017, wooo.

You'll notice that the
conference room display mode has
integrated seamlessly with
single app mode payload, meaning
that we can [inaudible] a room
at any given time with either
payload.
Finally, let's take a look at
the AirPlay security payload
that we added in tvOS 11.
We've got an iPad here running
iOS, so we're going to go ahead
and start an AirPlay session
with this Apple TV.
You'll notice that we are
prompted for the password that
we defined in the AirPlay
security payload.

While this is fantastic from a
security perspective it's not as
easy as we'd like for our users.

So now we've got a second iPad
here that's got the AirPlay
security or the AirPlay payload
installed on it so let's see how
much easier we can make this for
our users.

So, now when we start our
AirPlay session you'll notice
that this is the only Apple TV
that we can AirPlay to and we
weren't prompted for the
password.

This makes for a seamless
experience for our users, it is
also very secure for our
institution.
And with that, I'd like to thank
you very much for your time
today and I'll turn the stage
back over to Todd.
Thanks Todd.

Thank you very much Graham and
Todd.
So, one reason we're so excited
about all these new features is
what some of you have already
done with them and we want to
just make it even easier for you
to do those things better and we
can't wait to see what you can
come up with next.
I want to highlight one example
that UC San Diego did at their
new Jacobs Medical Center where
they provide each patient when
they enter the hospital with an
iPad in their hospital room that
they can use to monitor their
care, as well as manage the
entertainment options in the
room on Apple TV.
Now with that last feature that
Graham just showed they can
securely connect pairs of
patient iPad and Apple TV so the
patient can't inadvertently
interfere with the patient in
the next room.

We're so excited about
deployments like these that can
really improve people's lives by
giving them more control over
their experience in a hospital
and we can't wait to see what
else you can do with them.
So that concludes our management
section.

So, let's turn to a quick update
on Apple's device management
tools.

Of course, Apple Configurator
and Profile Manager which we've
updated this in seeds this week
support all these new features.
And I'm going to talk a bit in
more detail about those
classroom and content caching in
a moment.
But I also wanted to mention
that we have created a new
roster simulator as a complement
to our existing DEP and VPP
simulators that help MDM vendors
test their implementation of our
APIs for our deployment
services.
The roster simulator will allow
you to do that for Apple School
Manager's APIs for obtaining
accounts and class information.
So, we will be posting those
very soon, we encourage you to
download the roster simulator
and the updated versions of the
DEP and VPP simulators to make
sure that your MDM solutions
integrate really well with our
deployment services.
So, this spring we shipped
Classroom 2 which had a really
critical new feature to make the
audience much wider and allowing
teachers to create their own
classes.
We also now allow teachers and
students to share documents and
URLs with each other.
And of particular importance
when the teacher needs a bit of
peace and quiet feature can now
mute the student devices.
Earlier this week we released or
we seeded Classroom 2.1 which as
Pradhap mentioned already, we've
introduced a handful of new
restrictions for supervised
devices that allow schools which
want to use teacher created
classes on their supervised
student iPads to achieve most of
the behavior of managed classes.

And we've also added a new
student activity view that
appears at the end of each class
session and it looks like this.
So, the teacher can get a quick
overview of which apps her
students used and most often.
Can easily see which app each
student used and when.

Can look at any documents or
URLs the students shared during
the class session.

And also drill into each student
to see which apps that student
used and when.

So that's Classroom 2.1, try it
out.
Next, content caching.

Now the caching server has been
an important feature for schools
and businesses to optimize their
download bandwidth usage and
it's been part of macOS server
for years so why do I have a new
badge up there?
Well that's because it's now
built right into macOS High
Sierra making it much easier for
it to be used even more commonly
in schools and businesses.

We also now have UI for the
caching server and the new
tether caching service that we
soft launched earlier this
spring in macOS 10.12.4 so that
it would be available in time
for summer's preparations for
the next school year.
But instead of talking about it
more I would love to have Nolan
Astron [phonetic] to come up and
demo it to you.

Nolan.
I'm Nolan Astron, I'm a
software engineer at Apple and
today I'm going to demo for you
tethered caching.

Tethered caching has three main
pieces to it.
It provides a wired Internet
connection to all the USB
connected iOS devices, it
instantiates the content caching
service on the Mac, and it
funnels all the network traffic
of those tethered devices
through the content caching
service when downloading
cachable Apple content.

To enable this feature, you're
going to want to pop into the
sharing pane of System
Preferences and you're going to
want to have the Share Internet
Connection checkbox checked and
the Content Caching checkbox
checked just like I do here.
Those iOS devices they can be
plugged in at any time, but this
feature really shines when those
iOS devices are enrolled in MDM.
When an MDM enrolled iOS device
becomes tethered it
automatically checks in with its
MDM server and sees if it has
any commands to process.

If a particular command requires
the network it's going to use
its USB interface instead of its
Wi-Fi interface when leveraging
the network.
This feature is extremely useful
when provisioning a large number
of iOS devices with overlapping
cachable Apple content.

All right, so in front of me I
have four iPads hooked up to a
tethered caching station.

Eventually I'm going to download
the same app to each one of the
devices.

But while I do the download I'm
going to show you a little tool
that I built that's going to
monitor the network activity of
the Mac's Wi-Fi interface and of
the Mac's USB network
interfaces.
On the left-hand side, you'll
see a meter for Wi-Fi and on the
right-hand side, you will see a
meter for USB network activity.
So right now, I'm going to
download the app to the first
device.
You'll see that both the Wi-Fi
and USB network activity are
required to process that
download command.

The Mac needs to download the
asset from the Internet and it
needs to push it to the device
over USB.
All right, cool.
Well now that the app is cached
I'm going to download the same
app to the remaining three
devices.

Awesome. You'll see that for all
the remaining downloads of that
same app there's no network
activity on the Wi-Fi interface
required.
The Mac already has a cached
copy of it and all it needs to
do is push that cached version
to the devices over USB.

And just to be clear, it's not
required that one iPad download
the app before any other ones
that was done strictly for demo
purposes.
So why are you going to like
this feature?
Well we think you're going to
like the tethered part of
tethered caching because it's
going to move the network
bandwidth required for
provisioning a large number of
devices off your Wi-Fi network
leaving it usable for the rest
of the connected clients.
And we think you're going to
like the caching part of
tethered caching as it will
significantly reduce the amount
of bandwidth necessary to
provision your iOS devices.
Thank you for watching and I'm
going to hand the stage back to
Todd.
Thank you very much Nolan.

I do want to apologize that we
forgot to install the Siri
profanity filter restriction on
this session, but we'll take
care of that.
So that brings us to the end of
our tools update and I just want
to quickly sum up as we wrap up
our time together with a couple
of notes for app developers.
Now that we support managed app
configuration for tvOS apps too,
please make sure your apps are
supported.
For those of you who would like
to sell a lot of copies of your
apps into education, make sure
that they're good customers for
Shared iPad by storing all the
data that you want to persist in
the cloud, whether it's iCloud
or your own third-party cloud
solution and don't rely on
backup or local data which won't
survive logging into a different
device.
Once you've done this work you
can also take advantage of the
option in iTunes Connect to mark
your app as optimized for Shared
iPad again, making it more
interesting to education
customers who might want to buy
hundreds or thousands of copies
of it.
Finally, if your app has a
strong dependency on network
traffic and latency, take
advantage of some of the Cisco
Fastlane options to optimize
that traffic and there's a lab
tomorrow that I will highlight
in a moment where you can get
help with that.
For MDM vendors, of course we
want you to support all these
new features and we'll be in the
lab after this to help you with
any questions you have.
I would also like to encourage
you to adopt all the security
enhancements that Bob talked
about during the enrollment
section.

For administrators, take
advantage of all these great new
capabilities to build compelling
new deployments that link iPads
and Macs and Apple TV just like
UCSD has and come up with some
amazing things that no one else
has thought of.
And finally, be ready, yes
Pradhap stole my thunder, but
next you need to be ready for
those restrictions to be
supervised only and honored only
on supervised devices.
So, we had a lot more
information, documentation, help
guides for the tools, all kinds
of information at the session
link, session 304.
We have a couple of sessions
still happening this week that
you might be interested in.
There's a What's New with Screen
Recording tomorrow morning that
if you're building tools for
remotely assisting customers
that there's some very
interesting technology in the
new version of ReplayKit.
And we talked a little bit about
kiosk and assessment apps, but
there's a whole session about
that tomorrow afternoon if
you're interested in that, I
encourage you to check that out.
And with that, I will thank you
very much for your attention and
hope you enjoy the rest of the
WWDC.

Thank you very much.

Looking for something specific? Enter a topic above and jump straight to the good stuff.